OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Multiple AuthnStatements in Assertion

On 2/12/14, 2:14 AM, "Philpott, Robert" <robert.philpott@rsa.com> wrote:

>While it may not be done in many (any?) major public SPs today, I am
>aware of some enterprise deployments (and a government one) that have
>done it and rely on it. It is certainly something supported in our
>implementation and it does get used.  That doesn't mean it is
>justification for including or excluding it. In your case.  I think you
>should take stock of the target community you are trying to service and
>anticipate the security requirements of that community.  But I would not
>just look at today's requirements, but also where you believe they may
>head over the next few years.  We run across cases regularly where
>step-up auth is very important.  In some cases they want to support that
>with federation use cases in addition to local authn and they can't do it
>if the SAML support is limited.  If that applies to your community, then
>I'd think twice about forcing restrictions like that.

I don't think supporting step-up implies anything about supporting two
statements. That's not the only way to address it, and in fact I'd be
shocked if any application cared about anything but the "up" part, the
statement reflecting the stronger method.

The other problem is that using AuthnContext to advertise technology
methods flies against the trend of using that to express the overall
assurance level of the transaction.

But the larger point is simply that nothing in the standard would make
this interpretation interoperable, which is relevant to somebody trying to
build something now.

-- Scott

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]